Solved: Re: How do you use regex on 2 fields and combine t...

krusovice · ‎12-04-2018

Hi all,

I have a simple regex to extract 2 fields — name1 and name2. And I would need to combine it like this: name1.name2 and send it to xyseries as one name. I can't make it work with the below query.

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| eval fullname=name1.name2
| xyseries fullname date_hour count

Could someone please help me? Thank you in advance.

bjoernjensen · ‎12-04-2018

Hey,

most probably you have some NULL values. Use fillnull with an appropriate value (could also be NULL not an empty string as below):

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| fillnull name1 value=""
| fillnull name2 value=""
| eval fullname=name1.".".name2
| xyseries fullname date_hour count

Additionally this will actually add a dot . between name1 and name2

If that is not working... please provide the result without the last xyseries ...

Hope that helps,
Björn

View solution in original post

martin_mueller · ‎12-06-2018

Is there a reason for using xyseries with date_hour instead of timechart span=1h?
The date_foo fields are often trouble.

bjoernjensen · ‎12-04-2018

Hey,

most probably you have some NULL values. Use fillnull with an appropriate value (could also be NULL not an empty string as below):

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| fillnull name1 value=""
| fillnull name2 value=""
| eval fullname=name1.".".name2
| xyseries fullname date_hour count

Additionally this will actually add a dot . between name1 and name2

If that is not working... please provide the result without the last xyseries ...

Hope that helps,
Björn

krusovice · ‎12-13-2018

Thank you, you have given some clue how to fix my SPL. Thank you.

kamlesh_vaghela · ‎12-04-2018

@krusovice

Can you please share you sample events?

krusovice · ‎12-04-2018

raw data like this:

line1=aaa
line2=yyy

Expected fullname should be aaa.yyy in x-axis of the table.

kamlesh_vaghela · ‎12-05-2018

@krusovice

As per you given event, name1 and name2 are in separate event. So you have to make it in single event by aggregating. like using stats values

| stats values(name1) as name1 values(name2) as name2 by date_hour

here if you have any unique id for both events then you have to use it in by clause.

| stats values(name1) as name1 values(name2) as name2 by <<UNIQUE_ID>>

For reference see below search.

| makeresults 
| eval _raw="line1=aaa" 
| append 
    [| makeresults 
    | eval _raw="line2=yyy"] | eval ID=10 | eval date_hour=10
| rex "line1=(?<name1>[\w+]+)" 
| rex "line2=(?<name2>[\w+]+)"  
| stats values(name1) as name1 values(name2) as name2 count by ID date_hour
| eval fullname=name1.".".name2
| xyseries fullname date_hour count

Thanks

prakash007 · ‎12-04-2018

How about this..

| rex "line1\=(?<name1>[\w+]+)" 
| rex "line2\=(?<name2>[\w+]+)"
| eval fullname=name1." ".name2
| xyseries fullname date_hour count

krusovice · ‎12-04-2018

Hi @prakash007,

Thanks for reply, it is not working.

How do you use regex on 2 fields and combine them into one field for an xyseries?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!